A new supply chain attack has been uncovered targeting users of Guardarian, a cryptocurrency payment gateway, through malicious packages published on the NPM registry. According to cybersecurity firm SafeDep, threat actors uploaded 36 fake packages disguised as plugins for Strapi, an open-source headless content management system widely used by developers.
The malicious packages were distributed across multiple accounts and designed to deliver a range of harmful payloads. These included capabilities such as executing remote shell commands, escaping Docker containers, and harvesting sensitive credentials from compromised systems.
Researchers identified multiple attack techniques embedded within the packages. One payload exploited Redis instances to inject malicious tasks, deploy web shells, and extract sensitive data, including API modules linked to Guardarian. Another was capable of breaking out of containerized environments, writing malicious scripts to host systems, and accessing credentials stored in services such as Elasticsearch and digital wallets.
Additional payloads were found targeting PostgreSQL databases, scanning systems for wallet files and private keys, exfiltrating Strapi configuration data, and establishing persistent access through reverse shells and long-term implants.
SafeDep noted that the attack evolved over time, stating, “The attacker started aggressive… found those approaches weren’t working, pivoted to reconnaissance and data collection… and finally settled on persistent access with targeted credential theft.”
The campaign appears to be specifically tailored for the Strapi ecosystem, as indicated by the naming patterns of the malicious plugins, targeted file paths, and focus on environments commonly used by Strapi deployments, particularly on Linux systems.
Security experts have advised developers who may have installed any of these packages to immediately rotate all credentials, including database passwords, API keys, and authentication tokens, to mitigate potential risks.
This incident highlights the growing threat of software supply chain attacks within open-source ecosystems, where seemingly legitimate third-party packages can be weaponized to compromise developer environments and enterprise systems.
